- title: "SAST analyzer consolidation and CI/CD template changes"
  announcement_milestone: "14.8"
  removal_milestone: "15.4"
  breaking_change: true
  reporter: connorgilbert
  body: |  # Do not modify this line, instead modify the lines below.
    GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.

    We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience.
    Streamlining the set of analyzers will also enable faster [iteration](https://about.gitlab.com/handbook/values/#iteration), better [results](https://about.gitlab.com/handbook/values/#results), and greater [efficiency](https://about.gitlab.com/handbook/values/#efficiency) (including a reduction in CI runner usage in most cases).

    In GitLab 15.4, GitLab SAST will no longer use the following analyzers:

    - [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (JavaScript, TypeScript, React)
    - [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Go)
    - [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Python)

    NOTE:
    This change was originally planned for GitLab 15.0 and was postponed to GitLab 15.4.

    These analyzers will be removed from the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replaced with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
    Effective immediately, they will receive only security updates; other routine improvements or updates are not guaranteed.
    After these analyzers reach End of Support, no further updates will be provided.
    We will not delete container images previously published for these analyzers; any such change would be announced as a [deprecation, removal, or breaking change announcement](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes).

    We will also remove Java from the scope of the [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) analyzer and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
    This change will make it simpler to scan Java code; compilation will no longer be required.
    This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml). Note that the SpotBugs-based analyzer will continue to cover Groovy, Kotlin, and Scala.

    If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:

    - whether you've excluded the Semgrep-based analyzer from running in the past.
    - which analyzer first discovered the vulnerabilities shown in the project's Vulnerability Report.

    See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.

    If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#breaking-change).
# The following items are not published on the docs page, but may be used in the future.
  stage: Secure
  tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554
